Basically, I want to know if this is possible with an ASA5510.
I know in my experience, I've been able to do some internal subnet routing with the ASA's, but for some reason I can't get this one to work.
Basically, I have an internal network of 192.0.0.0 that I want to have a route to another external network of 162.xx.xx.0 for which there is a router on site. Unfortunately I have no access to that router, and the owner of it will NOT change the config, period.
Currently the only way to use that router and transmit data through it is to use separate computers on a 162.xx.xx.0 subnet.
The client would like to use 192.xx.xx.0 machines to access that network, as well as the VPN users on the 172.16.0.0 network.
I have added a static route to the 162.xx.xx.0 network pointing to 162.xx.xx.1 which is the internal IP of the untouchable router.
I also added ACL entries to allow traffic between 192.0.0.0 and 162.xx.xx.0 as well as a static (inside,inside) statement for 162.xx.xx.0
What else am I missing, or is this even possible?
I know just adding an internal router into the equation is the easiest solution, but I'd like to avoid that if possible.
The device that the ASA and the router connect into in your diagram- is that a L2 switch. If so this won't work simply because for the ASA to route between the subnets it needs an interface in both subnets and it only has an interface in the 192.0.0.0 network.
If it is L2 it looks like you are running 2 completely separate networks on the same switch. With that setup as i say, it will never work. You could look to use subinterfaces on the ASA or just another interface and give it an address from the 162.x.x.x network and then make the connection from the switch to the ASA a trunk connection. But this is assuming a lot of things.
Who controls the switch and can it be reconfigured.
An 1841 would work fine. Presumably you would connect this to the HP ProCurve and then have one interface in the 165.x.x.x network and one in the 192.0.0.0 network ?
If so be aware that the existing router may well not have a route to your 192.0.0.0 or 172.16.x.x VPN subnets so you will need to NAT all source IPs to the 165.x.x.x interface address on the 1841 as the traffic goes to the existing router.
I had also considered what you said about the existing router configuration, so that would take some configuring as well to get both the 192 and 172 subnets talking to the 162 network, but it could be done.
This all would be much easier if we had access/ownership of the existing router, but being a police department it is a Department of Law Enforcement private network and they do not adjust their equipment configuration.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...